jeltz/hostap
1
0
Fork 0
Code Issues Pull requests Projects Releases Wiki Activity

Added a workaround for handling TLS compression

Browse source 
Even though we try to disable TLS compression, it is possible that this
cannot be done with all TLS libraries. For example, OpenSSL 0.9.8 does not
seem to have a configuration item for disabling all compression (0.9.9 has
such an option). If compression is used, Phase 2 decryption may end up
producing more data than the input buffer due to compressed data. This
shows up especially with EAP-TNC that uses very compressible data format.

As a workaround, increase the decryption buffer length to (orig_len+500)*3.
This is a hack, but at least it handles most cases. TLS compression should
really be disabled for EAP use of TLS, but since this can show up with
common setups, it is better to handle this case.
This commit is contained in:
Jouni Malinen 2008-05-26 12:33:04 +03:00
parent e572cb6398
commit ef626b4d50
4 changed files with 32 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

8
src/eap_peer/eap_tls_common.c
View file

@ -827,6 +827,14 @@ int eap_peer_tls_decrypt(struct eap_sm *sm, struct eap_ssl_data *data,
buf_len = wpabuf_len(in_data); buf_len = wpabuf_len(in_data);
if (data->tls_in_total > buf_len) if (data->tls_in_total > buf_len)
buf_len = data->tls_in_total; buf_len = data->tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
*in_decrypted = wpabuf_alloc(buf_len ? buf_len : 1); *in_decrypted = wpabuf_alloc(buf_len ? buf_len : 1);
if (*in_decrypted == NULL) { if (*in_decrypted == NULL) {
eap_peer_tls_reset_input(data); eap_peer_tls_reset_input(data);

8
src/eap_server/eap_fast.c
View file

@ -1334,6 +1334,14 @@ static void eap_fast_process_phase2(struct eap_sm *sm,
buf_len = in_len; buf_len = in_len;
if (data->ssl.tls_in_total > buf_len) if (data->ssl.tls_in_total > buf_len)
buf_len = data->ssl.tls_in_total; buf_len = data->ssl.tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
in_decrypted = os_malloc(buf_len); in_decrypted = os_malloc(buf_len);
if (in_decrypted == NULL) { if (in_decrypted == NULL) {
os_free(data->ssl.tls_in); os_free(data->ssl.tls_in);

8
src/eap_server/eap_peap.c
View file

@ -1161,6 +1161,14 @@ static void eap_peap_process_phase2(struct eap_sm *sm,
buf_len = in_len; buf_len = in_len;
if (data->ssl.tls_in_total > buf_len) if (data->ssl.tls_in_total > buf_len)
buf_len = data->ssl.tls_in_total; buf_len = data->ssl.tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
in_decrypted = wpabuf_alloc(buf_len); in_decrypted = wpabuf_alloc(buf_len);
if (in_decrypted == NULL) { if (in_decrypted == NULL) {
os_free(data->ssl.tls_in); os_free(data->ssl.tls_in);

8
src/eap_server/eap_ttls.c
View file

@ -1177,6 +1177,14 @@ static void eap_ttls_process_phase2(struct eap_sm *sm,
buf_len = in_len; buf_len = in_len;
if (data->ssl.tls_in_total > buf_len) if (data->ssl.tls_in_total > buf_len)
buf_len = data->ssl.tls_in_total; buf_len = data->ssl.tls_in_total;
/*
* Even though we try to disable TLS compression, it is possible that
* this cannot be done with all TLS libraries. Add extra buffer space
* to handle the possibility of the decrypted data being longer than
* input data.
*/
buf_len += 500;
buf_len *= 3;
in_decrypted = os_malloc(buf_len); in_decrypted = os_malloc(buf_len);
if (in_decrypted == NULL) { if (in_decrypted == NULL) {
os_free(data->ssl.tls_in); os_free(data->ssl.tls_in);